For PCI-DSS compliance you have to disable weak ciphers. PCI-DSS permits a minimum cipher size of 128 bits.

However for the highest score (0 I believe) you should only accept 168 bit ciphers but you can still be compliant if you permit 128 bit ciphers.

The trouble is that when we disable all but 168 bit encryption it seems to disable both inbound and out bound secure channels.

For example we'd like to lock down inbound IIS HTTPS to 168 bit ciphers but permit outbound 128 bit SSL connections to payment gateways/services from service applications running on the server (not all payment gateways support 168 bit only we just found out today).

Is it possible to have cipher asymmetry on Windows 2003? I am told it is all or nothing.

2 Answers
2

I believe it is all or nothing but if you disable the RC2/128 and RC4/128 ciphers, will that help? The 128 but RCx ciphers are considered medium-grade while ciphers like AES-128 are still considered high encryption. (I must confess, I don't know what the scoring system is based on)